Skip to content

Security

How we protect your data — and how we designed the system so we never have to.

Local-first architecture

The best way to protect your financial data is to never collect it. Open Accountant's CLI runs entirely on your machine. Your transactions, categories, and analysis results never touch our servers.

Component

Consumer financial data?

Wilson CLI

Local only — never transmitted

SQLite database

Local only — ~/.openaccountant/data.db

Ollama (AI)

Local only — zero network calls

API (Cloudflare Workers)

None — stateless skill delivery

Marketing site

None — static pages

Encryption

In transit

All hosted endpoints enforce TLS 1.2+ via Cloudflare. SSL certificates are managed automatically. HSTS headers are enabled. Plaid API calls from the CLI use TLS 1.2+ as enforced by Plaid's SDK.

At rest

Our infrastructure doesn't store consumer data — there's nothing to encrypt. On your machine, we recommend OS-level full-disk encryption: FileVault (macOS), BitLocker (Windows), or LUKS (Linux). Plaid access tokens will be stored via OS keychain integration. Additionally, application-level encryption via SQLCipher will encrypt all Plaid-sourced data in the local database before production launch.

Access controls

  • Production infrastructure (Cloudflare) — MFA required, limited to authorized team members
  • Source code (GitHub) — MFA required, branch protection on main, CI must pass
  • Secrets (API keys, tokens) — stored as Cloudflare Workers encrypted secrets, never in code
  • Serverless — no SSH, no VMs, no persistent infrastructure to compromise
  • Deployment — via CI/CD only; credentials stored as GitHub Actions secrets

Plaid integration security

When the Pro tier's Plaid integration is active:

  • Bank credentials are handled entirely by Plaid — Wilson never sees them
  • Plaid Link (the connection widget) runs in Plaid's secure environment
  • Wilson receives only an access token and transaction data
  • Transactions go into your local SQLite database — not our servers
  • Access tokens are stored locally with OS keychain encryption
  • Users can disconnect at any time, revoking the token on both ends

Vulnerability management

Dependency scanning

GitHub Dependabot monitors all repositories for known vulnerabilities. npm audit runs in CI on every pull request.

Code review

All changes to main require pull request review. TypeScript strict mode is enabled. CI runs type checking on every PR.

Infrastructure

Cloudflare Workers runs on Cloudflare's hardened platform with automatic patching, DDoS protection, and WAF. No self-managed servers to maintain.

Third-party security

Service

Purpose

Compliance

Cloudflare

Hosting

SOC 2 Type II, ISO 27001

Plaid

Bank connectivity

SOC 2 Type II

Polar.sh

License keys

Standard payment security

GitHub

Source code, CI/CD

SOC 2 Type II

Ollama

AI inference

Fully local — no network

Report a vulnerability

Open Accountant is open source. You can audit every line of code that handles financial data.

If you find a security issue, email human@openaccountant.ai or open a GitHub security advisory. We take security reports seriously and will respond within 48 hours.

Last updated: March 2026